Exploring Privacy, Mobility and BYOD Through the Lens of the CIO
In just the past few years the role of the CIO has changed so much. With technology moving faster than ever before, such rate of change is creating a whole new set of challenges for the head of technology and perhaps nothing has had a bigger impact on CIOs than the growth of mobility; especially the management of these devices and apps, which are often not owned or fully managed by the enterprise.
With BYOD and the blurred lines of mobile technology for personal and professional use, how much privacy can a company reasonably offer its employees? One would assume a standard right to discretion; however, the way we share, monitor, and store information means we likely have little real privacy any more. That said, where does the law—and your responsibility as a CIO or technology leader—begin and end when it comes to mobile technology and staff member expectations?
How Data Is Tracked and Stored
To get a better idea of the relationship between privacy, data storage, and your rights, look at Apple’s built-in GPS. This standard iPhone feature, with location services enabled, collects information based on when and where you use your phone—and what for. This data (though not transmitted over the web) can be used to inform location-based ads and recommend popular spots based on your interests.
In reality, this kind of collection is incredibly common—and whether or not you’re aware, it’s likely taking place with an app you’ve downloaded or an agreement you’ve signed. Those harmless Facebook quizzes that tell you which Star Wars character you are? They exist to collect your personal information, which you consent to by participating. As you can imagine, the relationship between data storage and privacy is shockingly (and permissibly) fluid.
What the Law Says
While much of this data collection seems somewhat harmless and passive since it is mostly designed for providing a better ad experience, the invasive nature of such tracking and data collection on mobile devices that share sensitive company data can be unnerving to say the least for CIOs leaving them to wonder what the best ways are to protect company data without becoming overly restrictive of the employees mobile experience.
Such privacy risk may be fine when it comes to a desktop that’s never “on the clock”, but if you’re connecting to the web professionally, there’s a lot to consider. For example, many states have enacted laws requiring companies to reimburse some or all employee service plan fees when they use personal devices for work. Unfortunately, few specify what data belongs to the user and what belongs to an organization.
There’s no legislature that specifically addresses BYOD, but plenty of laws govern data obligations and privacy. With so much going on behind the legal scenes, it’s important to understand yours and your employer’s legal obligations:
- Notification laws. Depending on the industry, state and federal laws have stringent requirements based on what information can be shared. For example, HIPPA regulations are especially strict. A healthcare professional, therefore, has to carefully guard any patient information on his or her smartphone or tablet.
- Data security. Accordingly, companies will want to keep their data safe if employees are logging on and sharing content. Trade secrets, for instance, could be a major concern for executives who routinely work on a mobile device. There are even international data protection laws that may come into play.
Understanding these official restrictions is a good starting point, but ultimately, the privacy employees are entitled to depends on the usage agreements they sign with their employer. Therefore, contractual obligations are the most important factor when it comes to confidentiality.
The CIOs Guide to Better BYOD
Binding contracts are an everyday occurrence in our interconnected world. Staying informed of these obligations is your best defense when it comes to protecting the company’s interest while providing employees some level of personal privacy. Sadly, data agreements are becoming common that they’re easily ignored. Employees may not take the time to read through every policy they come across—but it is important that they do so when it comes to BYOD. Mobile Device Management (MDM) affects every part of the organization that uses mobile devices, so beware of and critically assess these areas before agreeing:
- The enrollment process. This should be a simple process that requires little effort for new users. A basic email could send users to an MDM enrollment process that requires a quick click. This will automatically gather and store basic user information, so expect some data commitment at this step.
- Device configuration. The MDM system you implement for employees to use should allow for over-the-air configuration. Once configured, profiles, settings, and credentials will be delivered to the storage infrastructure. Expect prohibited access to restricted applications as well as warnings when data usage limits are exceeded.
- What’s prohibited. An MDM system can detect information like personal calendars, contacts, and emails, text messaging, application information, voicemails, and caller history. Furthermore, read about the gadgets you’re allowed to use. Most people juggle multiple devices professionals and informally; taking a new tablet to work may seem innocuous to many employees, but is it secure enough for them to share company info? Helping them understand the difference will reduce the chance of them unintentionally violating a usage agreement?
- Self-service standards. To get work-related devices functioning as quickly as possible, employers may allow (or require) you to set up the device personally. Common self-service functions include: password and PIN reset, geo-location for lost devices, and the ability to erase a device remotely.
- Monitoring standards. Most likely, a BYOD agreement means a company will monitor its connected devices and return data to pinpoint areas that need adjustment. Create a clear statement regarding what info the company reserves the right to collect.
Once employees have signed on the dotted line, they take responsibility for updating the devices that they work on. However, CIOs should aspire to do more than just get the signature, but also provide continued education and guidance as to the best ways for employees to manage sensitive data while using personal devices.
To further clarify the relationship between personal and corporate data, consider teaching employees the importance and best practices for storing company applications, documents, and other business information separately. Furthermore, if the business pays for a data plan, you may consider tracking usage.
Privacy is always a contentious issue, and never more so than today when people’s digital public, private, and professional lives are becoming so intermingled. Contentious as it may be, it’s certainly isn’t an issue to take lightly. What are your thoughts on this? Do you have a plan in place? I would love to hear about it.